Posted
by
kdawson
on Tuesday July 13, 2010 @03:51PM
from the look-for-the-guy-with-the-blue-tooth dept.

coondoggie notes a Network World piece on credit-card skimmers found installed in gas pumps, this time in Florida. Like the similar wave of attacks in Utah earlier this year, the latest crop uses Bluetooth to transmit the illicitly collected data. Does this mean an accomplice has to hang around within 3m of the pump? "The Secret Service has indicated there's a crime wave throughout the Southeast involving the gas-station pump card skimmers, and it may be traced back to a single gang that may be working out of Miami... St. Johns County in Florida has also been hit by the gas-pump card skimmers. [A local sheriff's department spokesman] says criminals wanting to hide the credit-card skimmers in gas pumps have to have a key to the pump, but in some cases a single key will serve to get into many gas pumps." Here's an insight from the banking industry on the skimming fraud.

Does this mean an accomplice has to hang around within 3m of the pump?

No. What it means is that there's no need for there to be a wire that leads to the skimmer's recording device... which now can be hidden in the next pump over. This also means the mag reader could be placed in the pump without a recording device, therefore requiring the pump to be taken apart for inspection, adding to the cleanup costs.

Remember, once a fraud becomes so expensive to clear up that the expenses are greater than the total loss, then it's almost allowed to continue unchecked.

Or, in reality, every skimmer records numbers. The thief comes by with the "dumper", buys some gas while take a complete download of the current recorder memory. Its far less risky on the retrieval of the numbers, especially if the skimmers have already been identified and the cops are waiting around the corner for the guys to come back (unlikely, but you never know).

...and with the price of flash memory so low, it would be pretty easy to hide a little digital camera to snap photos of the person as they put the card in and/or stood in front of the machine. It would be easy to download those too and if they saw a few with the manager and a customer standing and pointing at the machine they would know that the gig was up and to just walk away.

I have a Belkin F8T012 USB Bluetooth dongle that works quite well at distances well over 100m. (The advertised maximum is 100m.) It wouldn't be hard to make yourself inconspicuous at that distance from the pump.

Why? If I get mugged at (or on the way to) the gas station I lose my cash. If my card gets skimmed, I do not lose my money. If many people's cards get skimmed from the same place, I may not even have to dispute the transaction - the card company will just cancel the card, invalidate the transactions and issue me a new card.

From the article:When a card is compromised, however, the card issuer has to reimburse the customer. If incidents o

The recording device is in the pump. It records the card numbers internally. The thief then comes back and downloads the data off the skimmer with bluetooth (probably with a phone). Totally inconspicuous.

I doubt the skimmer-makers would bother, unless the cops have quietly been hunting bluetooth emissions for a while now; but it wouldn't exactly be rocket surgery to have a bluetooth device that just sits there, receiving but maintaining absolute radio silence unless it hears a particular transmission(from a particular bluetooth MAC, if you really want to get paranoid). The wireless analog of port knocking, more or less...

Particularly with all the cellphones floating around, a BT radio, even one yelling its little amplifier out, is hardly automatically suspicious in a reasonably crowded area. Somebody who knew what they were doing, had the right set of antennas, and had some knowledge of what they were looking for(if, for instance, the skimmer-manufacturers produced a large batch, all with BT modules from the same manufacturer, or even with MACs in series, and some were captured by conventional physical inspection), could definitely hunt them down much more quickly, unless they are very short range units, or were using some stealth strategy like the above...

BT radios are common, but ones with easily accessible obex files would be even more suspicious. Cracking such things isn't difficult, as there are usually only a thousand association codes-- easily dictionary attacked and done by a simple script.

Bluetooth range can go up to 100 meters depending on the class of the transmitter. Class 1 ~100m, Class 2 ~10m, class 3 ~1m. A class 2 the recording device could be hidden in the trunk of the abandoned car at the place next door. Class 1 could be down the street.

It seems that the sort of people dedicated enough to develop this attack would also be able to learn to pick locks. I don't know for sure, but I'd guess that a gas pump lock isn't very tough to pick. There's no reason that most people would want to open a gas pump, so there's no reason to use a very expensive, pick resistant lock on it.

There's no reason they have to even open the gas pump to pull it off though, and thats the problem. Pull up with a big SUV so that the Gas pump card reader isn't in view of any cameras. Next, pull your bluetooth reader, which can be smaller in size than a candy bar, put it on over the card reader and attach it with glue such that it is inconspicuous. Finish pumping gas. Go inside, Go to the bathroom. Hide your bluetooth reciever in the ceiling tiles. Come back every 3 days and be that creep that all the gas

The only problem with paying cash for gas is that I generally like to fill up every time, and I don't have any buddies working the local gas station anymore, so there is no way anyone is going to let me fill up before I pay in cash.

This is slashdot where we can log every fill-up and resulting MPG to a graph, then analyze details like, is synthetic worth it(for differential fluid = yes, engine oil was no), how much MPG is ethanol stealing (10% on carburetored motorcycle, EFI is insignificant.)...

(1) Takes extra time to visit a clerk and pay cash.
(2) Amount not recorded automatically. Have to mess around with receipts. During high price periods my gas usage approaches 5% of my budget and should be tracked.
(3) Requires carrying around more cash, especially in periods when prices are high.

Around here it's almost all post-pay the attendant, because they want you to buy stuff in their store. Few pumps have card swipes, and only in selected poor or rough areas do they require pre-payment, sometimes only when the price has spiked.

Where you live (some place in Canada) is not the same as everywhere in (Canada). In Toronto and likely most of Ontario, you only have to prepay when it's late at night or a bad area of the city (or both).

This is not new in Europe. Every ATM now has it. Also sine 3-4 years ago all cards have a chip in them. The transaction is authorized by the chip in a real-time two way communication, and you have to punch in the pin code. But that is never going to happen here in US, primary because it means no tips. But why bug gas stations - just go work as a waiter, or at any cash register desk and just routinely slide the card through a second reader. In EU the waiter at a restaurant has to bring the POS terminal to your table. You insert the card into the slot, while the card is in the slot the waiter puts in the amount, you check it, decide to tip or not, put the amount of tip in, then dial your pin code. Then the chip on the card already connected with the bank of the POS terminal starts to make the transaction, the bank proxies that transaction to your bank, the chip on the card talks with your bank, and it's done, money are wired from you account to the merchant account. Plain and simple, and in no more than 10 seconds you get an SMS on your cell phone - hey - merchant XXX, pos terminal ID YYY just withdrew 20 euro from your card ending in..... If it's not you, you pick up the phone, call your bank and just tell them it is not you. And that's it.. the merchant cannot change the amount you were billed at a later time. Here in US you have to wait up to 5 days to have it posted and it could get changed a lot (usually because of the tips).

You have to decide whether you want a convenience of just waving your card in front of a cash register, or you want the security of actually allowing the transfer of funds from your account. As for the banks - it will always be easier and more profitable to have the people loose their money and go into debt. That is why only a strong government regulation can make them change something. On a little bit of side not - in Europe if you don;t have enough funds in your card the transaction is refused and no penalty is payed. Here, because of the delay in posting transactions you could easily overdraw your card, and get charged 50 for each transfer after the limit.

According to my father, who is a Branch Manager at Citibank, the Citi ATMs now have a system that shuts down the ATM completely (ie. the screen goes blank, the CPU shuts off, and the cash gets locked down) if any metal/magnets are placed on/near the card reader. To reboot, the ATM has to be opened (usually from the inside of the building) and manually reset. All to help avoid skimmers.

However, I've stuck my magnetic billfold right on top of the card reader and nothing happened, so YMMV.

And if someone is able to compromise both the card and that image of "what it should look like"?

In this kind of situation it is better to have banks telling people — through another medium — what the terminals should look like. (But in some countries this might not be possible, if every bank/network has its own design)

The point, as far as I can tell, is that there are many chances to bolt on external junk, whilst it's pretty difficult/unusual to be able to compromise the ATM itself. External devices are just opportunistic ways of reading the data off your card (ie. magnetic strip, maybe a camera to read out the PIN as the user inputs it). I suppose you could place an overlay on the screen, but it sounds like a lot of work compared to a little magnetic strip reader.

Even in situations where there isn't an inside man(and I'm sure that there sometimes is), a scheme that habituates the employees, anybody monitoring the CCTV cameras, and the public at large, to people frequently opening and poking at the pumps is likely to decrease security, rather than increase it.

The uniforms of gas station employees aren't exactly secret, nor are clothes that look very much like them hard to get ahold of(given that they are generally just plaincloths, or mechanic-style coveralls, pos

Because gas stations are no longer gas stations manned by trained mechanics. They are convenience stores, manned by people who generally don't have any control or technical knowledge of the pumps. Prices are set over the internet. About all the cashier can do is put a yellow bag over the handle if there's a complaint about a pump, and call it in.

Because the type of person who works at a gas station is hardly the type of person who can be trained to identify sophisticated electronics. Also, if, like previous commenters suggest, the bluetooth addition forces the pump to be dissasembled, you are talking about adding significantly to the cost of the gas station owner. It's another reincarnation of the old formula: if (cost to fix problem - cost of letting problem go unfixed > 0) then don't fix problem, else hire lobbyists.

I was a gas station attendant for 3 years while getting my college degrees.

It was a nice easy job with fringe benefits like the ability to do homework on the job, free soda fountain mountain dew and access to jailbait.

At one time we had me - a CS major doing AI research and a Nuclear Physics major on her way to the Air Force Academy running the night shift.

Most of the people who can't handle the gas station clerk position think exactly like you do,except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.

Most of the people who can't handle the gas station clerk position think exactly like you do,except they don't realize that they have to do paperwork at the end of each shift and quit because division is to hard.

The problem is that not every gas station is structured like that. I worked at a Gas station for 2 and a half years, and they basically had 3 people on duty at all times. 2 to run the tills, maintain the cleanliness of the store, and watch the pumps. 1 would be in the back office, doing that paperwork and occaisonally watching security cams. The only paperwork the front line people had to do was count out their till to $100 each time their shift began and ended. Anyone with a pulse could have worked that job. The only way to keep that job was to NOT steal money.)

And while I wouldn't expect much from even those people, I think they could identify a card reader if taught how. It's as easy as saying "Look at this specific part of the pump. Remember how it looks. Every morning I want you to look at it. If it ever looks different, inform me."

Using public key cryptography your card can know it's communicating with a real terminal, and the bank can know it's a real card. You card can then "sign" the transaction.

All my cards have chips. They all have magnetic stripes too, so they work in the USA, although maybe it'd be cheaper for my bank if the standard card didn't have one, and I had to ask for a card with a magstripe if I wanted to use it outside much of Europe and a few other places. People stealing the magstripe data still happens here, altho

No, although I saw a picture of a card with a tiny LCD screen somewhere. That would be useful to verify the amount -- someone could tamper with a terminal's display to show one amount, but ask the card to authenticate a different amount.

I don't know whether there's a key in the terminal that the card can validate...

There's been a case where tampered readers [wikipedia.org] have led to fraud (see "Successful attacks"), but that relied on using non-EMV transactions.

I also have one of these [wikipedia.org], which so far my bank only uses to

What's needed is an end-to-end validation system. My card needs to tell me if I'm connected over a secure, untampered channel to my bank; maybe some LEDs along with the chip (that's right, ditch the magnetic stripe). My bank needs to know that it is a valid card; perhaps some sort of one time pad that's burned into the card at time of issuance.

While a CC system that doesn't utterly suck, and trust pretty much every link in the chain like it would its own mother, after she had been notarized and presented two forms of photo ID, I suspect that we could be waiting a while for that...

In the meantime, I'm curious why the "card path" of any exposed payment system would be designed such that it has internal voids where 3rd party hardware can be stashed. A mag-stripe reader is just a surface, with a few mm of electronics behind it. Generally, because people aren't too good at keeping their card at just the right distance, you mount the reader parallel to a passive plate a few mm away, through which the card is run. With a surface channel design, the attacker has to stick their skimmer onto the surface, where it can be detected by visual inspection(made easier if the card slot has blinkenlights, a highly specific shape, certain color/pattern, etc.)

If, for some reason, an internal card path must be used, so that the card can be held on to during the transaction or whatever, one could still make sure that the internal chamber is small enough to admit only a card, and that the eject mechanism doesn't just pop the card halfway out; but actually completely scrapes out the internal chamber each cycle(in order to remove, say, a thin-film reader fabricated on a sticky backed piece of flexible circuit board)...

Good mechanical design won't stop all skimmers; because people may not notice even a fairly blatant one just taped on top of the actual reader; but it should be fairly easy, with good design of the card path, to make it impossible to mount an internal reader without doing some in-situ metalworking.

I'm usually paranoid about such things, but I didn't even notice. Chase was really on the ball with it though. The crooks who stole my card weren't able to charge a damn thing, because their first attempt tripped the alarm bells.

These skimmer gangs are pervasive, though. They have people working on the inside at retailers everywhere. When mine was skimmed, they tried to use the card to buy several DVD players at a Walgreens nearby within minutes of me buying gas. As it turned out, they had skimmed several d

The US really needs to get on board with EMV chip & PIN. Once Canada finishes it's conversion America will be the last major mag-stripe holdout. ZIP-confirmation and other two-factor authentication hacks aren't going to cut it. Chip isn't 100% perfect, but it is 1,000x more secure than an unencrypted mag stripe and has yet to be compromised in the wild. Combined with EMV-compliant contactless payments and PIN-less low value transactions (so that PINs aren't captured en masse), the situation could be gre

ZIP confirmation has always seemed spectacularly useless. If you've got somebody's card, the ability to get their address seems trivial. The card comes with the name on it (including on the mag stripe), and Google will give you an address much of the time from that.

Is there some secret advantage here that I'm missing, or is it just the credit card company's lazy way of pretending to add security?

"Hey boss, marketing and/or legal say we have to have 'two factor authentication' in our product. We could adapt the smartcard chips they use in sims and...."

"Jesus fuck, man, that sounds expensive! We mail out those cards, sometimes unsolicited and pre-activated to poorly validated addresses, like goddamn candy. If your next scheme involves a per-card hardware cost, you might as well go pack your desk, to save security the trouble..."

While it is certainly more secure than mag stripe, the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

I have nothing against better security, I do have a problem with better security being tarted up as evidence that no intrusion could possibly have occurred without the connivance of the customer.

Good that the situation was legally rectified(for the moment); but an illustration of the problem.

They, successfully, used the technological change to pass the buck for a number of years, until outrage and the law eventually caught up with them. Clearly, since the law had to force their hand, their intention was to keep the buck passed forever.

Given the, er, robust state of American democracy, and its laudable freedom from corruption and corporate influence at all levels, I for one am certain that thi

...the various issuing institutions, at least in Britain, have tried to use this to argue that theft/skimming losses should now be the fault of the "negligent" customer, rather than their problem.

Yes, Slashdot covered a similar case [slashdot.org] a few years ago. "Stolen car!? That's impossible with our current state-of-the-art RFID keys! You must have negligently left your keys where someone could take them; no insurance for you!"

The system relies on the chip to tell the terminal that a valid PIN was used, rather than the terminal+chip+PIN creating a cryptographic message to the bank so the bank can verify that a valid PIN was used. End result: All you need is a fake chip that always tells the terminal a valid PIN was used.

Since none of the articles linked to by the summary felt it was relevant to mention what these skimmers actually look like, here's an article from Consumerist.

That's an ATM skimmer, which are different to gas pump skimmers. Because the attackers don't have access to the inside of the ATM, everything is done by sticking gizmos on the outside of the ATM. With gas pumps, I don't think there are any signs that a user can see that a skimmer has been installed -- it's all internal to the gas pump.

Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

The entirety of human knowledge at your fingertips, and you still insist on wearing your ignorance like a badge.

While I'm sure the author of that article is well intentioned, they get a few facts wrong. In addition to naming the wrong city, they have a incorrect picture. A correct picture can be found at the local newspaper [gainesville.com].

No, the second article was pretty clear that the devices are being placed in-between the reader and the rest of the pump. It's in-line, recording every signal the card reader sends to the processing system, and prior to the point that it's all encrypted for transmission.

Unlike ATM skimming devices, which are attached to the exterior of a machine, over the card reader, the Shell skimming device was actually inside the terminal, wired between the card scanner and the computer board.

What we need to do is make every debit and credit card use something like an RSA Secure ID token and make the user type in the pseudo random synced 6 digit code for every purchase. And then allow only one transaction for a card in that ~1 minute timeframe that the code is valid.

That would cut down on 99.99% of all opportunity for credit card fraud. You would either need the card/token on hand or have the algorithm and enough instance data to derive the key through brute force means.

The problem with RSA tokens is that the system doesn't scale. I have two credit cards, an ATM/debit card, several bank website logins, etc. I don't want those accounts tied together for security and privacy, and I certainly don't want to carry around a half-dozen tokens. Also, doesn't RSA claim a patent on the token setup (so they'd be a sole-source and raise costs across the board)?

Embed the token into the cards. They don't have a significant cost these days, and it would make the cards significantly more secure. Yes, it makes the cards more expensive than a piece of plastic and a magstripe, but really, it's not THAT much. Particularly when amortized over all the cards in circulation.

If you're going that far, you could also include the PIN entry keypad on the card and use a secure link to make it nearly impossible for an attacker to get your PIN via the capture device.

I already carry an RSA device with me for my PayPal account's online access. It has a serial number on it which links my particular device back to the algorithm and seed to generate the numbers. Why would it not be feasible for me to enter that serial number into my banks' systems so I have a single OTP that works for all of my cards? It would take some massive cooperation between the card companies to do so, but it sure would give them some nice good-will towards their customers.

Credit/debit companies make money on volume. They balance a certain level of fraud against the ease of obtaining credit. Thats why there is pin-less debit and signature-less credit below certain threshholds.

If the system was designed in such a way as to allow the generation of 1 time keys, instead of an embedded 16 digit number, this wouldn't be a problem. This could have been fixed 10 or maybe even 20 years ago... but we have the lowest possible cost system in place, and fraud is just a cost of business instead of a crime.

Interesting that this "insight from the banking industry" doesn't seem to indicate the banks have any responsibility for the problem.

There once was a time that people took their money to the bank for safekeeping. I think banks have partly weaseled themselves out of the security side of the business, and what used to be called "bank robbery" they now call "identity theft." Which works ok for the bank, seeing how it's the customer who lost the money and it must have been the customer's fault, or the gas station's, or the POS equipment vendor's.

The bank, which should act like a watchdog, portrays itself as something of an innocent bystander.

No, an individual card issuer does not have any responsibility, nor should they. It is the responsibility of the financial network to mandate minimum security requirements of each card issuer, and all terminals under their control. (e.g. Interac, Cirrus, Visa). It is only the card issuer's responsibility to adhere to the policy set out by their network.

After several years of being told by banks to watch out for large plastic attachments to ATM card slots, I've noticed that an increasing number of bank-owned ATMs now have them as a part of their design. The simple, flush-mounted card slot on a grey plastic / metal bezel is now giving way to a protruding translucent green plastic bulge on grey plastic / metal bezel.

Which makes less than zero sense.

They look fake as can be, especially when paired with a slightly older ATM with the more sensible slot.

Now, one might argue that the crazy card slots are a great theft deterrent because they preclude the attachment of a skimmer, but they also make it impossible for the machine to snap up a stolen card, nor do they really look legitimate enough to give the user peace of mind.

I used to write code that talked to gas pumps, and I can tell you that most pumps take the same key for the printer door, a different same key for the terminal (Gilbarco CRIND/Wayne CAT) door, and I think another same key for the pump control door. That's the same keys for the entire model run of a pump, and maybe for more than one model, unless maybe a big oil chain installs a different same key. Even then, they're those round locks like the ones that some laptop cables use that can be picked with a part from a Bic pen. (Presumably they're better made than the laptop cable locks.)

The card data is sent up to the station's control computer directly, usually both track 1 and track 2 data. I don't think it would be hard to insert a skimmer behind the door, whether a second mag reader head, or just splice the wires from the card reader. Or even rig the station control computer if you have access to that. (For that matter, all the card numbers may end up in a log file on that computer.)

There's not much danger of a pin pad skimmer, however, because in the US, PINs are protected by each pinpad having a master key injected into RAM before shipping to the site. They are potted in epoxy and have a memory kill switch if you attempt to open them. This works differently from the European system, which is why the US hasn't had to go to "chip and pin". The PIN is encrypted in the pad, the pinpad's serial number is attached, and the result is only decrypted by the card clearing house computers, which have a list of all the decryption keys. Even if the guy who ran the station was doing the skimming, debit PINs couldn't be skimmed and still work properly. But that's just debit. Credit cards don't have a PIN.

So unlike ATM skimmers, they could definitely hide the skimmer behind the door, but they would still need a camera of some sort to capture the PINs. Fortunately most gas pump terminals have a relatively flat front, so they can't just hide the camera on a different part of the panel.

Basically it looks like a thin bundle of electrical tape attached to the wire between the magstripe reader and the circuit board inside the gas pump -- completely hidden inside the pump cabinet unlike ATM skimmers.

Where does this stuff come from? I've seen gear like this on sale on Russian underground sites, together with custom trojans etc..., but if it comes from inside the states couldn't you just nab the problem at the source?

"The shim needs to be extremely thin and flexible. In fact it must be less than 0.1mm"

"The shim is inserted using a "carrier card" that holds the shim, inserts it into the card slot and locks it into place on the internal reader contacts."

"Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM machine."

"flexible shims are recently being mass produced and widely used in certain parts of Europe"

"Diebold released five new anit-skimming protection levels for its ATM devices june 1st 2010...Unfortunately, none of these helps with the shim skimming attack. That problem has yet to be solved mechanically yet."

How about a way to magstripe the virtual # you get from Citi or equiv. Basically, you program the card before use at the station with a fresh virtual#. So, skim away! I couldn't care less if they skimmed a virtual#.